Microsoft quietly updated its Chromium-based Edge to version 80 last week, the first update for the browser since its debut in a stable format three weeks ago.
The company in Redmond, Washington, updated Edge to version 80.0.361.48 on Friday, February 7, just three days after Google updated Chrome to version 80.
Since then, developers at both Google and Microsoft have been working on their versions of Chromium 80, each using a multi-tier cadence of Canary, Dev, Beta, and then stable builds to release increasingly reliable and sophisticated code.
One question that Microsoft has not answered is how long it would take to get from Chromium to a finished version of Edge, especially if and if so, how long between the launch of Chrome by Google and the release of Edge through Microsoft. The shorter the delay, the better: criminals could potentially exploit a large vulnerability by reverse-engineering Chrome’s fixes for this version’s vulnerabilities and then applying the results to an unpatched edge.
The first Chrome security update released after Edge launched on January 15 was on January 16. Microsoft released an update for the same vulnerabilities on January 17. Although the tight window between the two was encouraging, the length of the update was still unknown Delay between Google promoting a new version of Chrome for the stable branch and Microsoft.
This delay was only three days.
On Tuesday, January 4th, Google Chrome released 80.0.3987.87 with new features and 56 security fixes. Google listed 37 of the 56 with CVE (Common Vulnerabilities & Exposures) identifiers. Ten of the 37 were rated “High”, the second hardest ranking in Chrome’s (and Chromium’s) four-tier rating system.
Running in Microsoft Edge security noticeThe company reported that Edge 80.0.361.48 also included fixes for the same 37 CVEs. (Presumably Microsoft has also patched the 29 bugs for which Google has not listed any CVEs.)
What Microsoft has not yet done is describe which non-security changes have been made to Edge between versions 79 and 80. (To be fair, Google hasn’t done this for Chrome 80, also because it tends to advertise new features and functionality when you reach the browser’s beta build.)
A comment on Support page For example, the title “Release Notes for Microsoft Edge Security Updates” was ridiculously short, and in the recommendation, Microsoft assumed to link to the Google 80 Chrome notice.
Some ideas about changes in Edge 80 can be found by browsing the browser Documentation of group policies with the string “since version 80.” This signaled that Edge 80 is likely to begin enforcing the SameSite cookie control standard around the same time as Chrome, and that mixed content will also be addressed, especially downloading files over unencrypted connections, as is the case with Chrome in March.
The near-Chrome version of Edge 80 also means that Edge 80 users should expect upgrades in the same rhythm as Chrome users with their browser and near the same dates.
The next versions of Chrome are expected to be released on this date. Microsoft should update Edge with days from them.
Chrome 81: March 17th
Chrome 82: April 28th
Chrome 83: June 9th
Chrome 84: August 4th
Chrome 85: September 15th